diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/includes/db/DatabaseSqlite.php mediawiki-1.15.2/includes/db/DatabaseSqlite.php
--- mediawiki-1.15.1/includes/db/DatabaseSqlite.php	2009-01-19 05:56:08.000000000 -0800
+++ mediawiki-1.15.2/includes/db/DatabaseSqlite.php	2009-10-16 08:23:48.000000000 -0700
@@ -497,6 +497,13 @@
 		return $s;
 	}
 
+	/*
+	 * Build a concatenation list to feed into a SQL query
+	 */
+	function buildConcat( $stringList ) {
+		return '(' . implode( ') || (', $stringList ) . ')';
+	}
+
 } // end DatabaseSqlite class
 
 /**
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/includes/DefaultSettings.php mediawiki-1.15.2/includes/DefaultSettings.php
--- mediawiki-1.15.1/includes/DefaultSettings.php	2009-07-13 09:47:17.000000000 -0700
+++ mediawiki-1.15.2/includes/DefaultSettings.php	2010-03-08 14:52:50.000000000 -0800
@@ -33,7 +33,7 @@
 }
 
 /** MediaWiki version number */
-$wgVersion			= '1.15.1';
+$wgVersion			= '1.15.2';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename         = 'MediaWiki';
@@ -2561,7 +2561,7 @@
  * $wgExtensionCredits[$type][] = array(
  * 	'name' => 'Example extension',
  *  'version' => 1.9,
- *  'svn-revision' => '$LastChangedRevision: 53179 $',
+ *  'svn-revision' => '$LastChangedRevision: 63438 $',
  *	'author' => 'Foo Barstein',
  *	'url' => 'http://wwww.example.com/Example%20Extension/',
  *	'description' => 'An example extension',
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/includes/Sanitizer.php mediawiki-1.15.2/includes/Sanitizer.php
--- mediawiki-1.15.1/includes/Sanitizer.php	2009-01-06 18:31:30.000000000 -0800
+++ mediawiki-1.15.2/includes/Sanitizer.php	2010-03-08 14:34:15.000000000 -0800
@@ -658,24 +658,48 @@
 	 * @return mixed
 	 */
 	static function checkCss( $value ) {
-		$stripped = Sanitizer::decodeCharReferences( $value );
+		$value = Sanitizer::decodeCharReferences( $value );
 
 		// Remove any comments; IE gets token splitting wrong
-		$stripped = StringUtils::delimiterReplace( '/*', '*/', ' ', $stripped );
+		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
 
-		$value = $stripped;
-
-		// ... and continue checks
-		$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
-			'codepointToUtf8(hexdec("$1"))', $stripped );
-		$stripped = str_replace( '\\', '', $stripped );
-		if( preg_match( '/(?:expression|tps*:\/\/|url\\s*\().*/is',
-				$stripped ) ) {
-			# haxx0r
+		// Decode escape sequences and line continuation
+		// See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately.
+		// IE 8 doesn't implement it at all, but there's no way to introduce url() into
+		// IE that doesn't hit Mozilla also.
+		static $decodeRegex;
+		if ( !$decodeRegex ) {
+			$space = '[\\x20\\t\\r\\n\\f]';
+			$nl = '(?:\\n|\\r\\n|\\r|\\f)';
+			$backslash = '\\\\';
+			$decodeRegex = "/ $backslash 
+				(?:
+					($nl) |  # 1. Line continuation
+					([0-9A-Fa-f]{1,6})$space? |  # 2. character number
+					(.) # 3. backslash cancelling special meaning
+				)/xu";
+		}
+		$decoded = preg_replace_callback( $decodeRegex, 
+			array( __CLASS__, 'cssDecodeCallback' ), $value );
+		if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) {
+			// Not allowed
 			return false;
+		} else {
+			// Allowed, return CSS with comments stripped
+			return $value;
 		}
+	}
 
-		return $value;
+	static function cssDecodeCallback( $matches ) {
+		if ( $matches[1] !== '' ) {
+			return '';
+		} elseif ( $matches[2] !== '' ) {
+			return codepointToUtf8( hexdec( $matches[2] ) );
+		} elseif ( $matches[3] !== '' ) {
+			return $matches[3];
+		} else {
+			throw new MWException( __METHOD__.': invalid match' );
+		}
 	}
 
 	/**
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/install-utils.inc mediawiki-1.15.2/install-utils.inc
--- mediawiki-1.15.1/install-utils.inc	2009-03-21 09:48:09.000000000 -0700
+++ mediawiki-1.15.2/install-utils.inc	2010-03-08 09:42:20.000000000 -0800
@@ -33,6 +33,26 @@
 			"or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n";
 		die( -1 );
 	}
+	
+	$test = new PhpXmlBugTester();
+	if( !$test->ok ) {
+		echo "Your system has a combination of PHP and libxml2 versions which is buggy\n" .
+			"and can cause hidden data corruption in MediaWiki and other web apps.\n" .
+			"Upgrade to PHP 5.2.9 or later and libxml2 2.7.3 or later!\n" .
+			"ABORTING (http://bugs.php.net/bug.php?id=45996 for details).\n";
+		die( -1 );
+	}
+	
+
+	$test = new PhpRefCallBugTester;
+	$test->execute();
+	if ( !$test->ok ) {
+		echo "PHP 5.3.1 is not compatible with MediaWiki due to a bug involving\n" .
+			"reference parameters to __call. Upgrade to PHP 5.3.2 or higher, or \n" .
+			"downgrade to PHP 5.3.0 to fix this.\n" .
+			"ABORTING (see http://bugs.php.net/bug.php?id=50394 for details)\n";
+		die( -1 );
+	}
 
 	global $wgCommandLineMode;
 	$wgCommandLineMode = true;
@@ -69,6 +89,52 @@
 	}
 }
 
+/**
+ * Test for PHP+libxml2 bug which breaks XML input subtly with certain versions.
+ * http://bugs.php.net/bug.php?id=45996
+ * Known fixed with PHP 5.2.9 + libxml2-2.7.3
+ */
+class PhpXmlBugTester {
+	var $parsedData = '';
+	var $ok = false;
+	function __construct() {
+		$charData = '<b>c</b>';
+		$xml = '<a>' . htmlspecialchars( $charData ) . '</a>';
+		
+		$parser = xml_parser_create();
+		xml_set_character_data_handler( $parser, array( $this, 'chardata' ) );
+		$parsedOk = xml_parse($parser, $xml, true);
+		$this->ok = $parsedOk && ($this->parsedData == $charData);
+	}
+	function chardata($parser, $data) {
+		$this->parsedData .= $data;
+	}
+}
+
+/**
+ * Test for PHP bug #50394 (PHP 5.3.x conversion to null only, not 5.2.x)
+ */
+class PhpRefCallBugTester {
+	public $ok = false;
+
+	function __call( $name, $args ) {
+		$old = error_reporting( E_ALL & ~E_WARNING );
+		call_user_func_array( array( $this, 'checkForBrokenRef' ), $args );
+		error_reporting( $old );
+	}
+
+	function checkForBrokenRef( &$var ) {
+		if ( $var ) {
+			$this->ok = true;
+		}
+	}
+
+	function execute() {
+		$var = true;
+		call_user_func_array( array( $this, 'foo' ), array( &$var ) );
+	}
+}
+
 function readconsole( $prompt = '' ) {
 	static $isatty = null;
 	if ( is_null( $isatty ) ) {
@@ -144,4 +210,4 @@
 		&& is_callable( 'dl' )
 		&& wfIniGetBool( 'enable_dl' )
 		&& !wfIniGetBool( 'safe_mode' );
-}
\ No newline at end of file
+}
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/maintenance/moveBatch.php mediawiki-1.15.2/maintenance/moveBatch.php
--- mediawiki-1.15.1/maintenance/moveBatch.php	2009-01-03 08:20:05.000000000 -0800
+++ mediawiki-1.15.2/maintenance/moveBatch.php	2010-03-08 09:58:22.000000000 -0800
@@ -81,7 +81,8 @@
 	$dbw->begin();
 	$err = $source->moveTo( $dest, false, $reason );
 	if( $err !== true ) {
-		print "\nFAILED: $err";
+		$msg = array_shift( $err[0] );
+		print "\nFAILED: " . wfMsg( $msg, $err[0] );
 	}
 	$dbw->immediateCommit();
 	print "\n";
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/maintenance/parserTests.txt mediawiki-1.15.2/maintenance/parserTests.txt
--- mediawiki-1.15.1/maintenance/parserTests.txt	2009-03-25 05:27:04.000000000 -0700
+++ mediawiki-1.15.2/maintenance/parserTests.txt	2010-03-08 14:34:15.000000000 -0800
@@ -4357,6 +4357,23 @@
 
 !! end
 
+!! test
+CSS line continuation 1
+!! input
+<div style="background-image: u\&#10;rl(test.jpg);"></div>
+!! result
+<div></div>
+
+!! end
+
+!! test
+CSS line continuation 2
+!! input
+<div style="background-image: u\&#13;rl(test.jpg); "></div>
+!! result
+<div></div>
+
+!! end
 
 !! article
 Template:Identity
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/maintenance/updaters.inc mediawiki-1.15.2/maintenance/updaters.inc
--- mediawiki-1.15.1/maintenance/updaters.inc	2009-06-09 05:58:05.000000000 -0700
+++ mediawiki-1.15.2/maintenance/updaters.inc	2009-12-15 09:24:12.000000000 -0800
@@ -1221,7 +1221,8 @@
 
 function sqlite_initial_indexes() {
 	global $wgDatabase;
-	if ( update_row_exists( 'initial_indexes' ) ) {
+	// initial-indexes.sql fails if the indexes are already present, so we perform a quick check if our database is newer.
+	if ( update_row_exists( 'initial_indexes' ) || $wgDatabase->indexExists( 'user', 'user_name' ) ) {
 		wfOut( "...have initial indexes\n" );
 		return;
 	}
@@ -1813,8 +1814,8 @@
 			'ctype' => 'U',
 			'mw_version' => $wgVersion,
 			'pg_version' => $version,
-			'sql_version' => '$LastChangedRevision: 51640 $',
-			'sql_date' => '$LastChangedDate: 2009-06-09 05:58:05 -0700 (Tue, 09 Jun 2009) $',
+			'sql_version' => '$LastChangedRevision: 60080 $',
+			'sql_date' => '$LastChangedDate: 2009-12-15 09:24:12 -0800 (Tue, 15 Dec 2009) $',
 		) );
 	return;
 }
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/maintenance/upgrade1_5.php mediawiki-1.15.2/maintenance/upgrade1_5.php
--- mediawiki-1.15.1/maintenance/upgrade1_5.php	2008-05-20 10:13:28.000000000 -0700
+++ mediawiki-1.15.2/maintenance/upgrade1_5.php	2010-01-10 21:03:22.000000000 -0800
@@ -18,6 +18,15 @@
 require_once( 'commandLine.inc' );
 require_once( 'FiveUpgrade.inc' );
 
+echo "ATTENTION: This script is for upgrades from 1.4 to 1.5 (NOT 1.15) in very special cases.\n";
+echo "Use update.php for usual updates.\n";
+
+// Seems to confuse some people
+if ( !array_search( '--upgrade', $_SERVER['argv'] ) ) {
+	echo "Please run this script with --upgrade key to actually run the updater.\n";
+	die;
+}
+
 $upgrade = new FiveUpgrade();
 $step = isset( $options['step'] ) ? $options['step'] : null;
 $upgrade->upgrade( $step );
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/RELEASE-NOTES mediawiki-1.15.2/RELEASE-NOTES
--- mediawiki-1.15.1/RELEASE-NOTES	2009-07-13 10:13:27.000000000 -0700
+++ mediawiki-1.15.2/RELEASE-NOTES	2010-03-08 14:49:14.000000000 -0800
@@ -3,11 +3,11 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
-== MediaWiki 1.15.1 ==
+== MediaWiki 1.15.2 ==
 
-July 14, 2009
+March 8, 2010
 
-This is a security and bugfix release of the the 2009 Q2 branch of MediaWiki. 
+This is a security and maintenance release.
 
 MediaWiki is now using a "continuous integration" development model with
 quarterly snapshot releases. The latest development code is always kept
@@ -20,6 +20,22 @@
 Those wishing to use the latest code instead of a branch release can obtain
 it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 
+=== Changes since 1.15.1 ===
+
+* The installer now includes a check for a data corruption issue with certain
+  versions of libxml2 2.7 and PHP earlier than 5.2.9, and also for a PHP bug 
+  present in the official release of PHP 5.3.1.
+* (bug 20239) MediaWiki:Imagemaxsize does not contain anymore a <br /> tag which
+  was displayed to the user
+* (bug 21150) SQLite no longer raise an error when deleting files
+* (bug 20880) Fixed updater failure on SQLite backend
+* upgrade1_5.php now requires to be run --update option to prevent confusion
+* Fixed a CSS validation issue which allowed external images to be included 
+  into wikis where that is disallowed by configuration.
+* Fixed a data leakage vulnerability for private wikis using img_auth.php or 
+  similar image access authentication schemes. Check user permissions before 
+  streaming out scaled images from thumb.php.
+
 === Changes since 1.15.0 ===
 
 * Fixed fatal errors for unusual file repository configurations, such as 
diff -Nru -x messages -x '*.png' -x '*.jpg' -x '*.xcf' mediawiki-1.15.1/thumb.php mediawiki-1.15.2/thumb.php
--- mediawiki-1.15.1/thumb.php	2008-12-01 09:14:30.000000000 -0800
+++ mediawiki-1.15.2/thumb.php	2010-03-08 14:49:14.000000000 -0800
@@ -20,6 +20,9 @@
 
 function wfThumbMain() {
 	wfProfileIn( __METHOD__ );
+
+	$headers = array();
+
 	// Get input parameters
 	if ( get_magic_quotes_gpc() ) {
 		$params = array_map( 'stripslashes', $_REQUEST );
@@ -65,6 +68,17 @@
 		$img = wfLocalFile( $fileName );
 	}
 
+	// Check permissions if there are read restrictions
+	if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
+		if ( !$img->getTitle()->userCanRead() ) {
+			wfThumbError( 403, 'Access denied. You do not have permission to access ' . 
+				'the source file.' );
+			return;
+		}
+		$headers[] = 'Cache-Control: private';
+		$headers[] = 'Vary: Cookie';
+	}
+
 	if ( !$img ) {
 		wfThumbError( 404, wfMsg( 'badtitletext' ) );
 		return;
@@ -101,7 +115,7 @@
 			$thumbPath = $img->getThumbPath( $thumbName );
 
 			if ( is_file( $thumbPath ) ) {
-				wfStreamFile( $thumbPath );
+				wfStreamFile( $thumbPath, $headers );
 				return;
 			}
 		}
@@ -128,7 +142,7 @@
 		$errorMsg = wfMsgHtml( 'thumbnail_error', 'Image was not scaled, ' .
 			'is the requested width bigger than the source?' );
 	} else {
-		wfStreamFile( $thumb->getPath() );
+		wfStreamFile( $thumb->getPath(), $headers );
 	}
 	if ( $errorMsg !== false ) {
 		wfThumbError( 500, $errorMsg );
@@ -143,6 +157,9 @@
 	header( 'Content-Type: text/html; charset=utf-8' );
 	if ( $status == 404 ) {
 		header( 'HTTP/1.1 404 Not found' );
+	} elseif ( $status == 403 ) {
+		header( 'HTTP/1.1 403 Forbidden' );
+		header( 'Vary: Cookie' );
 	} else {
 		header( 'HTTP/1.1 500 Internal server error' );
 	}
